global
    {{ log_0 }}
    {{ log_1 }}
    {{ log_2 }}

    chroot      /var/lib/haproxy
    pidfile     {{ haproxy_pid }}
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats       socket {{ haproxy_stats_socket }}
    stats       timeout 30s

    # Default SSL material locations
    ca-base     /etc/ssl/certs
    crt-base    /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    {{ ssl_ciphersuites }}
    {{ ssl_options }}
    {{ ssl_dh }}

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    #option http-server-close
    #option forwardfor       except 127.0.0.0/8
    #option                  redispatch
    #retries                 3
    #timeout http-request    10s
    #timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    #timeout http-keep-alive 10s
    #timeout check           10s
    maxconn                 5000
    #errorfile 400 /etc/haproxy/errors/400.http
    #errorfile 403 /etc/haproxy/errors/403.http
    #errorfile 408 /etc/haproxy/errors/408.http
    #errorfile 500 /etc/haproxy/errors/500.http
    #errorfile 502 /etc/haproxy/errors/502.http
    #errorfile 503 /etc/haproxy/errors/503.http
    #errorfile 504 /etc/haproxy/errors/504.http

frontend http_frontend
    mode {{ frontend_mode }}
    bind *:80
    bind *:443 ssl crt  {{ ssl_crt_path }}/{{ ssl_name }}.pem alpn h2,http/1.1

{% if nc_settings is sameas true %}
	  maxconn 20000
  	acl url_discovery_dav path /.well-known/caldav /.well-known/carddav
  	acl url_discovery_inf path /.well-known/webfinger /.well-known/nodeinfo
  	http-request redirect location /remote.php/dav/ code 301 if url_discovery_dav
  	http-request redirect location /index.php%[capture.req.uri] code 301 if url_discovery_inf
  	http-response set-header Strict-Transport-Security max-age=63072000
{% endif %}
	  option forwardfor
  	option http-server-close

{% if network_allowed != '' %}
  	#Only allow some services to be available internally
  	acl network_allowed src {{ network_allowed }}

{% endif %}
  	redirect scheme https code 301 if !{ ssl_fc }
  	default_backend http_servers

backend http_servers
  	mode {{ backend_mode }}
	  balance {{ backend_balance_method }}
{% if nc_settings is sameas true %}
  	option httpchk HEAD /
  	cookie SERVERID insert indirect nocache
  	http-check expect rstatus [2-3][0-9][0-9]
  	http-response set-header X-Frame-Options SAMEORIGIN
  	http-response set-header X-XSS-Protection 1;mode=block
	  http-response set-header X-Content-Type-Options nosniff
    {{ backend_default_server }}
{% endif %}

{% if haproxy_backend_servers != '' %}
{% for dict_item in haproxy_backend_servers %}
    server {{ dict_item.name }} {{ dict_item.ip }}
{% endfor %}
{% endif %}